Chapter 1 Centralized MAC Address Authentication Configuration Commands
1.1.1 display mac-authentication
Syntax
display mac-authentication [ interface interface-list ]
View
Any view
Parameter
interface-list: List of Ethernet ports. You can specify multiple Ethernet ports by
providing this argument in the form of interface-list = { interface-type
interface-number [ to interface-type interface-number ] }
&<1-10>, where &<1-10> means that you can provide up to 10
port indexes/port index ranges for this argument.
Description
Use the display mac-authentication command
to display global information about centralized MAC address authentication,
including:
l
The state of centralized MAC address authentication
(enabled/disabled)
l
Timer settings
l
The number of online users
l
The MAC addresses in quiet period
l
MAC authentication information about each port
Example
# Display the global information about
centralized MAC address authentication.
<H3C> display mac-authentication
mac address authentication is
Enabled.
authentication mode is UsernameAsMacAddress
Fixed username:mac
Fixed password:not configured
offline detect period is
300s
quiet period is 60s.
server response timeout
value is 100s
max allowed user number is
1024
current user number amounts
to 1
current domain: not
configured, use default domain
Silent Mac User info:
MAC ADDR From
Port Port Index
Ethernet1/0/1 is link-up
MAC address authentication is Enabled
Authenticate success: 1, failed: 0
Current online user number is 1
MAC ADDR Authenticate
state AuthIndex
000d-88f8-4e71
MAC_AUTHENTICATOR_SUCCESS 0
……
Table 1-1 Description
on the fields of the display mac-authentication command
|
Field
|
Description
|
|
mac address authentication is Enabled
|
Centralized MAC address authentication is
enabled.
|
|
authentication mode
|
Centralized MAC address authentication
mode. The default is the MAC address mode.
|
|
Fixed username
|
User name used in the fixed mode, which defaults
to mac.
|
|
Fixed password
|
Password used in the fixed mode, which is
not configured by default.
|
|
offline detect period
|
Offline detect timer, which sets the time
interval to check whether a user goes offline and defaults to 300 seconds.
|
|
quiet period
|
Quiet timer sets the quiet period. A
switch goes through a quiet period if a user fails to pass the MAC address authentication.
The default value is 60 seconds.
|
|
server response timeout value
|
Server timeout timer, which sets the timeout
time for the connection between a switch and the RADIUS server. By default,
it is 100 seconds.
|
|
max allowed user number
|
The maximum number of users supported by
the switch. It is 1,024 by default.
|
|
current user number amounts to
|
The current number of users
|
|
current domain
|
The current domain. It is not configured
by default.
|
|
Silent Mac User info
|
The
information about the silent user. When the user fails to pass MAC address
authentication because of inputting error user name and password, the switch
sets the user to be in quiet state. During quiet period, the switch does not process
the authentication request of this user.
|
|
Ethernet1/0/1 is link-up
|
The link
connected to Ethernet1/0/1 port is up.
|
|
MAC address authentication is Enabled
|
MAC
address authentication is enabled for Ethernet1/0/1 port.
|
|
Authenticate success: 1, failed: 0
|
Statistics
of the MAC address authentications performed on the port, including the numbers
of successful and failed authentication operations.
|
|
Current online user number
|
The number
of the users current access the network through the port
|
|
MAC ADDR
|
Peer MAC address
|
|
Authenticate state
|
The state
of the users accessing the network through the port, which can be:
l
MAC_AUTHENTICATOR_CONNECTING: Connecting
l
MAC_AUTHENTICATOR_SUCCESS: Authentication
passed
l
MAC_AUTHENTICATOR_FAILURE: Fail to pass
authentication
l
MAC_AUTHENTICATOR_LOGOFF: Offline
|
|
AuthIndex
|
Index of the current MAC address with
regard to the authentication port
|
Syntax
mac-authentication
undo mac-authentication
View
System view, Ethernet port view
Parameter
None
Description
Use the mac-authentication command
to enable centralized MAC address authentication globally or for a specified
port.
Use the undo mac-authentication command
to disable centralized MAC address authentication globally or for a specified
port.
By default, centralized MAC address
authentication is disabled both globally and for a port.
When being executed in system view, the mac-authentication
command enables centralized MAC address authentication globally.
When being executed in Ethernet port view, the
mac-authentication command enables centralized MAC address
authentication for the current port.
You can configure
other MAC address authentication-related attributes before or after you enable
centralized MAC address authentication globally or for a port. With the
attributes not configured, the defaults are adopted when you enable centralized
MAC address authentication.
Example
# Enable centralized MAC address
authentication globally.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] mac-authentication
MAC-Authentication is already enabled
globally.
# Enable centralized MAC address
authentication for Ethernet1/0/1 port.
[H3C] interface Ethernet 1/0/1
[H3C-Ethernet1/0/1] mac-authentication
Syntax
mac-authentication interface interface-list
undo mac-authentication interface interface-list
View
System view
Parameter
interface-list: List of Ethernet ports. You can specify multiple Ethernet ports by
providing this argument in the form of interface-list = { interface-type
interface-number [ to interface-type interface-number ] }
&<1-10>, where &<1-10> means that you can provide up to 10
port indexes/port index ranges for this argument.
Description
Use the mac-authentication interface command
to enable the centralized MAC address authentication for specified ports.
Use the undo mac-authentication interface
command to disable the centralized MAC address authentication on specified
ports.
By default, centralized MAC address
authentication is disabled on a port.
l
To make the centralized MAC address
authentication configuration takes effect on a port, you need to enable the
centralized MAC address authentication for the port after you enable
centralized MAC address authentication globally.
l
The configuration of the maximum number of
learned MAC addresses (configured through the mac-address max-mac-count
command) is unavailable for the ports with centralized MAC address
authentication enabled. Similarly, the centralized MAC address authentication
is unavailable for the ports with the maximum number of learned MAC addresses
configured.
Example
# Enable centralized MAC address
authentication for Ethernet1/0/1 port.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] mac-authentication interface
Ethernet 1/0/1
1.1.4 mac-authentication
authmode usernameasmacaddress
Syntax
mac-authentication authmode
usernameasmacaddress [ usernameformat {
with-hyphen | without-hyphen } ]
undo mac-authentication authmode
View
System view
Parameter
usernameformat: Specifies the input format of the username
and password.
with-hyphen:
Uses hyphened MAC addresses as usernames and passwords,
00-05-e0-1c-02-e3 for example.
without-hyphen: Uses MAC addresses without hyphens as
usernames and passwords, 0005e01c02e3 for example.
Description
Use the mac-authentication authmode usernameasmacaddress
command to specify the centralized MAC address authentication mode as MAC
address.
Use the undo mac-authentication
authmode command to restore the default centralized MAC address
authentication mode.
By default, the MAC address mode is adopted
for the centralized MAC address authentication.
Example
# Specify centralized MAC address
authentication mode as MAC address, using hyphened MAC addresses as the
usernames and passwords.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] mac-authentication authmode usernameasmacaddress
usernameformat with-hyphen
Syntax
mac-authentication authmode
usernamefixed
undo mac-authentication authmode
View
System view
Parameter
None
Description
Use the mac-authentication authmode
usernamefixed command to specify the centralized MAC address authentication
mode as fixed mode.
Use the undo mac-authentication
authmode command to restore the default centralized MAC address
authentication mode.
By default, the MAC address mode is
adopted.
Example
# Specify centralized MAC address
authentication mode as fixed mode.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] mac-authentication authmode usernamefixed
Syntax
mac-authentication authpassword password
undo mac-authentication authpassword
View
System view
Parameter
password: Password
to be set, a string comprising 1 to 63 characters.
Description
Use the mac-authentication authpassword command
to set a password for centralized MAC address authentication when the fixed
mode is adopted.
Use the undo mac-authentication
authpassword command to cancel the configured password.
By default, no fixed password is configured.
Example
# Set the password to mac.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] mac-authentication authpassword
mac
Syntax
mac-authentication authusername username
undo mac-authentication authusername
View
System view
Parameter
username:
User name to be set, a string comprising 1 to 55 characters.
Description
Use the mac-authentication authusername
command to set a user name when the fixed mode is adopted.
Use the undo mac-authentication
authusername command to restore the default user name.
By default, the user name used in MAC
address authentication (in the fixed mode) is mac.
Example
# Set the user name to vipuser for fixed
mode.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] mac-authentication authusername
vipuser
1.1.8 mac-authentication domain
Syntax
mac-authentication domain isp-name
undo mac-authentication domain
View
System view
Parameter
isp-name: ISP
domain name, a string comprising up to 24 characters. Note that this argument
cannot be null and cannot contain these characters: “/”, “:”,
“*”, “?”, “<”, and “>”.
Description
Use the mac-authentication domain
command to configure an ISP domain for centralized MAC address authentication.
Use the undo mac-authentication domain
command to restore the default ISP domain for centralized MAC address
authentication.
By default, the domain for centralized MAC
address authentication is not configured.
Use the “default domain” as the
ISP domain name.
Example
# Configure the domain for centralized MAC
address authentication to be Cams.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] mac-authentication domain Cams
Syntax
mac-authentication timer { offline-detect offline-detect-value |
quiet quiet-value | server-timeout server-timeout-value
}
undo mac-authentication timer { offline-detect | quiet |
server-timeout }
View
System view
Parameter
offline-detect-value: Offline detect timer (in seconds) setting. This argument ranges
from 1 to 65,535 and defaults to 300. The offline detect timer sets the time
interval for a switch to test whether a user goes offline.
quiet-value:
Quiet timer (in seconds) setting. This argument ranges from 1 to 3,600 and
defaults to 60. After a user fails to pass the authentication performed by a
switch, the switch quiets for a specific period (the quiet period) before it
authenticates the user again.
server-timeout-value: Server timeout timer setting (in seconds). This argument ranges
from 1 to 65,535 and defaults to 100. During authentication, the switch
prohibits a user from accessing the network through the corresponding port if the
connection between the switch and the RADIUS server times out.
Description
Use the mac-authentication timer
command to configure the timers used in centralized MAC address authentication.
Use the undo mac-authentication timer
command to restore a timer to its default setting.
Related command: display
mac-authentication.
Example
# Set the server timeout timer to 150
seconds.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] mac-authentication timer
server-timeout 150
Syntax
reset mac-authentication statistics [ interface interface-type interface-number ]
View
User view
Parameter
interface-type: Port type.
interface-number: Port number.
Description
Use the reset mac-authentication command
to clear the centralized MAC address authentication statistics. If you execute
this command with the interface keyword specified, the centralized MAC
address authentication statistics of the specified port is cleared. If the
keyword is not specified, the command clears the global centralized MAC address
authentication statistics.
Example
# Clear the centralized MAC address
authentication statistics of Ethernet1/0/1 port.
<H3C> reset mac-authentication
statistics interface Ethernet 1/0/1
